Lately Spring Security 3.0.0 Released. A good reason to free my pebble workspace from the dust of late 2009. How about using a current spring-security in an OSGi/Web environment like this pebble installation?
Very good news in web.xml everything looks very familiar (if you don't use Acegi...):
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
To provide a nonupdateable username/password account e.g. development/demo purposes an authentication manager like this is all you need:
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="username" password="password"
authorities="ROLE_BLOG_ADMIN,ROLE_BLOG_OWNER,ROLE_BLOG_PUBLISHER,ROLE_BLOG_CONTRIBUTOR" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:http>
<security:form-login
login-page="/login.action"
authentication-failure-url="/loginFailed.action"
default-target-url="/index.jsp" />
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/" />
</security:http:>
Running Pebble inside an OSGi environment these Require-Bundle lines provide the needed visibilities.
org.springframework.security.config;bundle-version="[3.0.0,4.0.0)",
org.springframework.security.core;bundle-version="[3.0.0,4.0.0)",
org.springframework.security.taglibs;bundle-version="[3.0.0,4.0.0)",
org.springframework.security.web;bundle-version="[3.0.0,4.0.0)",
I'm curious to see OpenID/Kerberos in action...